← Back to team overview

maria-discuss team mailing list archive

Re: CentOS Docker Container Image not only for OpenShift


Thanks for the feedback, Kolbe.

On 10/23/2015 06:41 PM, Kolbe Kegel wrote:
I find the use of environment variables to hold passwords to be a really troubling feature of the way many Docker images are built and used.

I agree this is not a very good solution and we need to come up with something better, that will also work in kubernetes. If anybody knows about something handy, I'd be glad to hear about it. So far, we've just used what other images do, which is not ideal at all.

In an environment where Docker linking is not used, perhaps the environment variable problem is somewhat less severe. But I'm really troubled by this statement:

"Changing database passwords through SQL statements or any way other than through
the environment variables aforementioned will cause a mismatch between the
values stored in the variables and the actual passwords. Whenever a database
container starts it will reset the passwords to the values stored in the
environment variables."

That sounds to me like a security catastrophe.

In cases user cares about keeping the container password unknown to other containers and docker daemon itself, the stack can be initialized with some init-only root password and changed afterwards. If I understand what your concern is, it's the reset of the password, right? I guess we may change that behavior to not do anything if password is not set and data directory is already initialized. Is it something what would help here from your point of view?



On Oct 22, 2015, at 11:26 PM, Honza Horak <hhorak@xxxxxxxxxx> wrote:

For those who are interested in containers, I'd like to share a Docker image that we've produced in Red Hat in cooperation with OpenShift guys. And will be really glad for any feedback you have.

The image can be used in OpenShift or run directly. But what I find really interesting is a PoC implementation of master/slave, that is not documented as official feature yet, but it can be used as simple as that:

  docker pull centos/mariadb-100-centos7

  docker run -e MYSQL_MASTER_USER=master \
             -e MYSQL_MASTER_PASSWORD=master \
             -e MYSQL_DATABASE=db \
             -e MYSQL_USER=user \
             -e MYSQL_PASSWORD=foo \
             -e MYSQL_ROOT_PASSWORD=rootpasswd \
             -d centos/mariadb-100-centos7 mysqld-master

  docker run -e MYSQL_MASTER_USER=master \
             -e MYSQL_MASTER_PASSWORD=master \
             -e MYSQL_DATABASE=db \
             -e MYSQL_MASTER_SERVICE_NAME=<master_ip> \
             -d centos/mariadb-100-centos7 mysqld-slave

More info about the image available here:

As said above, any feedback welcome :)


Mailing list: https://launchpad.net/~maria-discuss
Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Follow ups